Faux Firefox Add-On Enslaves Systems for Botnet Operation

A rogue application posing as a Firefox add-on has enslaved as many as 12,500 systems in a botnet operation that examines websites the infected systems visit and searches for exploitable security vulnerabilities.

“The botnet, dubbed ‘Advanced Power’ by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim,” wrote Brian Krebs, who discovered the operation.

Analysis of the malware reveals that it does contain a module designed to exfiltrate sensitive data and user credentials, but it does not appear that this functionality has been activated at this time.

Instead, Krebs says that the malware is specifically designed to “distributed scanning platform for finding exploitable Web sites,” and is believed have been used to “discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.”

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” said Alex Holden, chief information security officer at Hold Security LLC.

“You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Mozilla issued a statement saying they “disabled the fraudulent Microsoft .NET Framework Assistant add-on used by the Advanced Power botnet.”